DHS still has much to do just to assess its cybersecurity workforce as a step toward addressing its shortage of employees with those needed skills, GAO has reported.

“DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecurity position vacancies and responsibilities,” GAO said. For example, the department reported to Congress last year that it had coded 95 percent of those jobs but GAO found the percentage to be closer to 79 percent. That was largely because DHS excluded vacant positions, even though he Homeland Security Cybersecurity Workforce Assessment Act of 2014 required it to include such positions.

That law required DHS to identify and report its cybersecurity workforce critical needs; similar requirements also apply under the 2016 The Federal Cybersecurity Workforce Assessment Act and the 2013 OPM Special Cybersecurity Workforce Project.

“In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to the Congress on its department-wide cybersecurity critical needs that align with specialty areas. The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management, as required, and has not developed plans with clearly defined time frames for doing so,” the report said.

DHS agreed with recommendations including to ensure that its cybersecurity workforce procedures identify position vacancies and responsibilities; that reported workforce data are complete and accurate; and that plans for reporting on critical needs are developed.